.Net Confidence Lost?

Microsoft sites continue to have security and availability problems.

Microsoft Corp.s road to software as a service has been so pocked by security and availability problems that customers are beginning to question whether such lapses, if not fixed, could keep .Net from becoming a reality.

The crisis of confidence follows a week in which server problems prevented Windows customers from being able to download security patches for five days and a network overload prevented many subscribers to MSDN (Microsoft Developer Network) from being able to download code for Visual Studio .Net and .Net Framework for more than a day.

The Windows Update site, which provides users with security fixes, was down for five days due to problems with domain name servers, the Redmond, Wash., company said last week.

Some Microsoft customers, such as Timothy Johns, president of Daytona Digital, a system builder in Daytona Beach, Fla., said the fact that it took Microsoft that long to fix the site will hurt confidence and perception about Microsofts ability to keep .Net Web services and the user data associated with them secure and reliable in the future.

"Microsofts update sites appear to be one of their [lowest] priorities," Johns said. "The problems there keep us busy, and it just always makes me wonder what the average user does when faced with these issues."

Microsofts goal is to be a platform provider that sells software and tools for building .Net-enabled sites, as well as the operator of consumer services that work with its Passport authentication system.

Adam Sohn, product manager for Microsofts .Net strategy, said the company is aware of its dual responsibilities. Microsoft is, in fact, developing the framework for a group of consumer Web services known as .Net My Services, said Sohn, who added that the company needs to undertake systems updates in a way that does not affect the service being delivered to customers. "Its all about trust," Sohn said. "You dont buy trust, and you dont hoodwink people into trusting you. Youve got to earn it. We regret the glitches of the past week and any bad experiences users might have had."

But customers say more action and fewer apologies are needed. "At a corporate level, the success of .Net will also rest largely on Microsofts ability to provide full and timely disclosure of planned changes to the operating environment for all the elements of the .Net infrastructure," said Jim Ayers, manager for Internal Information Systems at defense contractor Northrop Grumman Corp., in Azusa, Calif.

"This especially includes security issues but is not limited to them," said Ayers, adding that 99.999 percent availability is a prerequisite to any Internet service such as .Net.

But while Microsoft is betting its future on the Internet and its .Net strategy, Ayers said, "it cannot currently even support a few developers who paid $2,000 for the privilege of priority access to critical .Net software." Ayers was referring to the MSDN subscribers denied access to the Visual Studio .Net and .Net Framework code last week.

"The way we think we earn the trust of partners and end users is to make a set of assertions as to what our infrastructure [can do] and then to be measured against these and held accountable by independent third parties," Microsofts Sohn said.

The framework Microsoft has decided to adopt for these operations is known internally as "SAS 70" and was "stewarded and shepherded" by the American Institute of Certified Public Accountants, Sohn said.

While Microsoft is still in the architectural phase and still determining what these commercial operating assertions need to be, they would include things such as protection against unauthorized physical access and logical unauthorized access, updated when required in a transparent manner, and effective security and privacy controls to deliver on these policies, Sohn said.